What You Should Know About DPA vs. GDPR
Anyone with even a minor internet presence is bound to have come across the term privacy laws or GDPR or both. Long story short, GDPR is the European Union’s strict policies aimed at protecting the privacy of an EU citizen. The EU has a strong track record of protecting an individual’s rights, especially privacy.
Implemented in 2018, the General Data Protection Rules shifted the balance of power from businesses to individuals. Since then, GDPR has become a guiding light for data privacy across the world.
Right, so what is the DPA, then?
The Data Protection Act was a law enacted in the United Kingdom with similar goals to protect citizen’s data. However, this one has some history to it. First implemented in 1998, when the internet was still very young, and data wasn’t yet the new oil, it has undergone multiple revisions to keep up with the changing times. Its latest version was introduced in 2018, the same year as the GDPR.
And that’s hardly surprising, given that the DPA 2018 borrows generously from the GDPR data protection framework and also complements the GDPR rules.
Same, but different?
When the intent is the same, the implementation will be similar. The over-arching principles are the same, but the finer details are slightly different. Thomson Reuters goes into great detail in comparing the two laws in their Practical Law section. A prudent point to note here is that the comparison is between the old DPA and the combination of the new laws; i.e. DPA 1998 versus GDPR+DPA 2018.
Why so? Because of the relation between the EU and the UK
The European Union is a financial and administrative collaboration between most countries of Europe. A key point was the creation of a common currency among members and setting up institutions with jurisdiction over all members related to some parts of defense and justice.
In the interest of boosting trade, citizens of member countries could freely move in the European Union area without having to apply for separate visas or having to endure passport control. But creating the European Union took a long time over many years of discussions, treaties, understandings, and agreements. During this time, governments in the UK were changing, and so were the ideologies – the UK was seesawing between joining the EU and not joining.
Ultimately, the UK joined the EU but was not a full member. The UK joined under the conditions that it would maintain its currency – the Pound – along with the common currency – the Euro. It also maintained an “open border” between itself and the EU. Citizens could move between the EU and the UK and stay for any length without visas, but passport controls were in place.
In 2016, it all changed when the UK decided to leave the EU in a decision famously termed Brexit.
Brexit’s Impact on GDPR
As long as the UK was a quasi member of the EU, the laws enacted by the EU applied to the UK as well, but the enforcement of such laws was subject to the UK government’s approval. So the usual practice was to make minor essential changes to the EU laws and pass a UK version of them in the British Parliament.
It wasn’t different for the data privacy laws either.
As and when GDPR was taking shape in the EU, DPA (the 2018 version) was taking shape in the UK. And since both had the same origins, they are somewhat similar. However, Brexit meant that EU citizens are no more the same as UK citizens, and so EU laws would not apply to UK citizens and vice versa. Subtle differences can have severe impacts on individuals as well as businesses.
A distinction that can have serious repercussions relates to the rights of the user. Whereas the GDPR holds a user’s right as the highest priority, DPA 2018 provides an exemption when organizations “processing data for scientific, historical, statistical and archiving purposes.”
Because of many such fine details and polished nuances embedded deep into the laws, businesses dealing with clients in the EU and the UK cannot afford to take data privacy rules lightly. At oneDPO, we apply artificial intelligence and privacy engineering to help organizations protect privacy, a fundamental human right, and be compliant with all the applicable laws.